Prevent users from voting more than once

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Prevent users from voting more than once

Post by The_Anomaly »

...or perhaps it should be titled, "The sad reality of HTTP protocol."

Basically, I want my users to vote on video--but not vote more than once. The way I currently see it, there are three ways of doing this, each with its own flaws.

1) Cookies! Don't let them vote if a cookie already exists. Only problem with that is that it's common knowledge that clearing your cookies will let you vote again, and again, and again. I have no doubt that there are many scripts/macros that do this automatically, which would obviously screw things up for me very sadly.

2) IP Addresses! This is all well and good, except that they are prone to changing--and changing often. This would lead to all kinds of sadness.

3) Login system! Probably the best option. Only let every account do it once. The terrible issue here is that people hate registering, and to register just to freaking vote is a pain. Especially when the entire application I'm developing is based around people's desire to vote on something they just saw.

So, basically, I'm screwed. It's pretty important that people don't abuse the system, i.e. scripts/macros, but it's also important for people to want to vote, and not be driven away by a registration form. I guess I could include some type of CAPTCHA to prevent the script issue--but it's unheard of to do so to vote.

So, I ask you, my fellow (and very probably superior) developers, are there any other options? I understand this as an inherent flaw/issue that results from the statelessness of web protocol. I just so desperately want a better way to get around it--although, I cant' think of anything else. That is, which doesn't include some atrociously invasive ActiveX or Java to get the user's MAC address.

I put this in the Security forum, as I believe that preventing users from manipulating the system (i.e. vote a thousand times) is a security issue. Please move if I judged poorly.

@onion2k: I'll try to refrain from pressing submit five times again ;)
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: Prevent users from voting more than once

Post by onion2k »

The_Anomaly wrote:@onion2k: I'll try to refrain from pressing submit five times again ;)
You ruin all my fun. :(

Regarding voting, if it's actually important what the vote tally is then registering is the only solution. Otherwise log their IP and only allow one vote from there every n hours. An ordinary user is unlikely to know what one is let alone how to change it. Cookies are too easy to circumvent to be worth bothering with ... even the most clueless user can delete their cookies.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Prevent users from voting more than once

Post by Mordred »

So, basically, I'm screwed.
Bingo :)

I don't agree with onion2k though. Do use cookies, and also track IPs, user agents, whatever you can think of. Log all this, then do some data mining on the data to detect fraudulent votes. Having user accounts helps immensely of course.
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: Prevent users from voting more than once

Post by The_Anomaly »

Mordred wrote:
So, basically, I'm screwed.
Bingo :)
:( :(
I don't agree with onion2k though. Do use cookies, and also track IPs, user agents, whatever you can think of. Log all this, then do some data mining on the data to detect fraudulent votes. Having user accounts helps immensely of course.
Do you know of any algorithms that might do this for me--or at least give me a starting point? I mean, my problem is a common one--people have non-login voting all the time.
Post Reply